Accessible password input

If you read a few of my other blog posts like Naomi85 – password generator, it might surprise you to know I don’t like passwords, And that I find passwords to be horrible both from a usability and security point of view.
Managing passwords is hard.  If you try to do it right, you must keep unique and complex passwords for each service you use. More than once, I forgot a decryption password and spent hours even days trying to recall it. Password managers will help, but using them securely is not that simple.

Continue reading

Common Encryption Pitfalls

Part 3 - Rethinking AccessURL Security Design

This is the last part of a three part blog series about AccessURL –

  1. Password Security and Cookies
  2. Security issues with AccessURL original implementation
  3. Solving all the issues by simple design change

In the previous post we saw a few security issues in the way AceessURL generates the passphrase and the id for the share URL. In this post we’ll see a way where we can get more security using almost the same security concepts AccessURL relies on a bit differently.
Continue reading

Common Encryption Pitfalls

Part 2 - Security Issues Found

This is the second part of a three part blog series about AccessURL –

  1. Password Security and Cookies
  2. Security issues with AccessURL original implementation
  3. Solving all the issues by simple design change

Security issues found

After using AccessURL browser extension I found a few issues which allowed me to get almost any credentials. To have better understanding of the issues lets look at a sample URL you get from the extension –
https://accessurl.com/GMRT#yzdne1
This URL has two parts “GMRT” is the identifier sent to AccessURL server and retrieves the encrypted data, the part after the hash “yzdne1” is never sent to the server and is used as the to decrypt the encryption and recover the cleartext cookie.
Unfortunately, both of this values are too short to be secure and safe from a brute-force attack ( An attack where you go through every possible value until you get a valid result).
Continue reading

Common Encryption Pitfalls

When Using AES256 Is Not Enough - Part 1

I recently came across AcessURL. AccessURL is an online service which offers an easy way to allow access to online accounts without sharing the account password.
Unfortunately, their initial implementation had some security issues. In this post, I will describe and suggest how to fix these issues. It is important to say that AcessURL since solved these issues.

These kind of mistakes are very easy to make and they are relevant to almost any online service. My aim is to provide information that will be useful for both web users and professional web developers. Feel free to skip parts you’re already familiar with.
Continue reading

Rethinking Ember

It’s been 20 months since I publish my first post about Ember.js. It was suppose to be two part series and I already had the second part ready to go, but I wanted to get more intimate knowledge of Ember before publishing it. it took longer then I thought and the more I learned about Ember it became clear I shouldn’t publish my following post. Unfortunately until now I did not have the time to write anything else so I should apologies it took so long and I should probably apologies again since its not really going to be a sequel for the previous post.

Continue reading

Securing Private Piwigo Albums

TL;DR if you just wanna see the code and simple install instructions see the Github repo

Update – The original code had a major rewrite to be used as a plugin that will not require any NGINX/Apache special features. Yet it can use advance features like X-Accel-Redirect/X-send-files if available.
Though the ideas and methods described in this article should work and are still good to understand the concept, a new and better implementation is available. Information about the new implementation is available in the Github repo.

As many other people I was looking for a solution to control and share my private photos with family and friends. Google, Facebook and other 3rd parties will allow you to share your content easily with your friends. But do you really know who has access to your private data ? who controls it ? and who owns it ?
Continue reading

Should you use Ember Cli ?

If you are considering using Ember and still comparing it to other frameworks this is not the article for you. Ember has some really strong and positive sides, overall I think Ember is one of the best JavaScript frameworks available today. The way it handles some of the common needs in modern web apps like routing, data binding is purely amazing. After considering many other options I’m going to use Ember for a big project I’m working on. This article series is only going to talk about Ember issues.
I’m going to be very blunt and might make some people angry. For what its worth I’m only writing it in the hope that it will get enough attention in the Ember community and that this issues will be addressed properly.

Continue reading

ZTE open phone – upgrading to firefoxOS 1.1 / 1.3 how to

Update: I’ve realized that I actually compiled and installed FirefoxOS v1.3 instead of 1.1, so this instructions will actually cause you to install v1.3.
for me v1.3 is working fine but if you need to install v1.1 just be sure to configure the right branch

If you read my previous post about the ZTE Overview, you know I was planning to upgrade my phone to version 1.1 after finding instructions on MDN I thought its going to be easy, but apparently its not as straight forward as one might think.

this guide is basically going to organize the information from the mozilla.dev group thread – Updating ZTE Open to 1.1 and the MDN ZTE Open page
Continue reading